Hackers Opping Themselves

i have a plugin that i just made, it will scrape the ispaid site to see if its true or false. Im running into a couple null exception errors. Other then that its actually working

 

You should send the code to the Bukkit devs. Would be great if they integrated it.

 

yea i might do a pull request.

 

I just would be 'Surprised' if they accept it. They tend to try to stay close to vanilla as possible

 

http://forums.bukkit.org/threads/admn-caught-v0-3-onplayerlogin-checks-if-player-is-premium-offline-servers-1-1-r3.58665/
enjoy mah friends

 

Wow I inspired a plugin

The reason that it is in offline mode is that I originally ran it as a LAN server at school, and some people hadn't payed for the game there and because there was no internet, but have now. Unfortunately lots of people have joined now because it is offline and making it online would cause us to lose many of our players
Another good reason is that whenever any of us Admins log in to the game we get spammed and its impossible to build or do anything without having to help players with one thing or another so having another account to log in under and change its prefix is a quick and easy way to fix this.

Anyway to sum up what I wanted, Even though I have AuthMe and nobody can login as anyone else (Without knowing their MC password) does having the server in offline mode cause any insecurities other than people being able to log in under any name? What I am trying to ask is are people able to OP themselves ONLY because the server is offline mode? I am asking because I thought that online mode was only to verify that a user was 'premium' but it diddnt actually provide any more security for the server than that. Let me once again make it VERY clear that other users cannot log in as an admin to op themselves they are doing it purely with some client hack. If it is because of the offline mode can someone explain how it is done (How are they getting the permission when they cannot login as one of the Admins?)

 

offline mode= cracked minecraft people cant join, only people who have BOUGHT the game, its more secure that way since people have to buy another account if they are banned AND it will also stop those fake names

 

*sigh* I have said that people are not using a fake name to make themselves OP, they do it from their own account. It has nothing to do with them faking their name

 

Um, yes it does. Offline mode = 'cracked', which means anyone can join as any player they want to. I could join as you and OP myself and that is what players are doing. They are logging in as an OP and OPing other users.

I hear this far too often. There is NO issue with CraftBukkit, the issue is that you are in offline mode. I mean seriously, turn it to online mode and buy the game.

 

as far as i can tell. I have ran my offline server since april 2011. No one has come on to OP themselves ever. It wont happen either because of what I use to keep accounts to people. However, I have ran into an issue where I left a security hole in my server about six months ago. It was exploited because I was lazy. Now, I am patching holes and giving just enough perms to my player to make the server fun. I choose to run an offline mode server because I figure, it'll give them a taste of what the game is. then they can go buy it if they so choose to. I also have purchased my own copy of minecraft. I support the game, but I will continue running a "cracked" server. Funny thing is, you don't have to buy the game to run a server. You just need to buy the client. Why can't you all just see that?

 

I am setting up my own server for the first time and I am trying to go slow, and methodical... step by step to make sure I get the plugin configurations correct. Yesterday I installed GroupManager and Essentials. Today I came home and someone had added themselves to my OP.txt file?

I have checked server.properties and the config is set to online-mode=true.

So every answer to the original post was to set this setting to true. So what if you DO have set to true but someone was able to set themselves to OP?

Has anyone ever developed a security checklist for minecraft? What would be awesome is to have a doucment that outlines the basic mods/plugins most people use and it would tell you what order to install them, what security to set to tighten things down etc.

Anyway, original problem. Somone ate my porridge and slept in my bed, how do I stop that?

 

Do any of your users have the '*' node (everything) from permissions?

 

http://www.minecraft.net/haspaid.jsp?user=darky1126 Buying the game is irrelevant. I owned my acc, when I ran offline mode. B)

 

get the plugin OPPassword.
it stops force-op attacks in their tracks.

there is a hack that opens the server files and just plonks a name in the ops.txt.

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

There is no way to do that via Bukkit. A lot of people have been complaining lately about their server hosts panels being compromised. If someone has gotten op on your server and all of your plugins are from dev.bukkit.org then talk to your host. Your account may have been compromised.

 

Necro posting? mbaxter?

 

?

 

Force OP is not possible, the chances are you have a modified or infected plugin/server .jar file, I would suggest running through and getting official versions of plugins/server files, for every plugin you have. It is also possible that as mbaxter said, your hosts control panel could be compromised, I would suggest resetting all of your passwords with a variety of cased and numeric letters, the more mixed up the better.

Support for offline mode server's on bukkit is limited, do not expect a response from bukkit on offline mode servers, you'll only likely to get smart asses that will either play dumb with you or just tell you straight. Buy the game, and make the people in your server do so also, they don't deserve to play the game, if they're really so cheap as to pirate a very reasonably priced game from incredibly respectable developers, the odds are they're stealing anything else they can on the internet. They have no right to play this game. On that note, this topic should be locked, that was an incredibly long bump that user made.

Really, there should be a sticky topic explaining offline mode servers more clearly, and bukkit should not support them at all on their forums. I would also decline all of the auth plugins also, but obviously this isn't my choice.

 

Locked. Necro bump.

There is no such thing as a force OP.